Tr0ll was inspired by the constant trolling of the machines within the OSCP labs.

The goal is simple, gain root and get Proof.txt from the /root directory.

Not for the easily frustrated! Fair warning, there be trolls ahead!

Details

After locating the IP address of the target machine on our virtual network (we were not provided with login or networking information), I added the address to my /etc/hosts to prevent from having to keep typing out the entire IP.

No surprise here…At this point, I tried to search for data hidden in the images but I found nothing useful. Web server seems like a dead end for now, so I’m going to check out that FTP server. After logging with with anonymous:pass, I see that there is a pcap file for us to download.

I download the pcap file and throw it into Wireshark. After skimming over the capture, I notice a file named secret_stuff.txt. Looking down a little further, I notice that this file was downloaded and the data is readily available to read.

After scratching my head over this message for probably far too long, I finally figure out that this is a directory on the web server. I copy and paste it into my browser and finally make some progress!

Instead of wasting anymore time on that route, I write it off as a dead end and decide to try what worked before; check to see if it’s a directory. I copy and paste that address into my browser and we get a hit!

We are presented with two directories, one containing what appears to be a list of usernames and one containing what appears to be a password for one of those usernames. I’m gonna guess that these usernames and password are for the SSH. So, after lots of trial and error I discover that the password located in Pass.txt is NOT the correct password. The password is in fact…“Pass.txt” (silly me, what was i thinking).

The correct login information is overflow:Pass.txt. We have shell access! Now we can really start poking around

Remember, the goal here is to obtain root level privileges so we can read the flag located in the /root directory. After poking around for a bit, I don’t find any files that are particularly interesting, ran into lots of dead ends. I finally decided to check the exact kernel release and version of the target system. Running uname -a gives us: Linux troll 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:12 UTC 2014 i686 i686 i686 GNU/Linux

Before diving any further into the filesystem to try and enumerate vulnerable processes, I decide to start with the kernel itself. Utilizing searchsploit, I discover that Ubuntu versions 12.04, 14.04, 14.10, and 15.04 that are running the Linux Kernel 3.13.0 - 3.19 are vulnerable to a local root exploit. If you care to read the exact workings of the exploit, which I recommend you do, it can be found here:Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - ‘overlayfs’ Privilege Escalation

Let’s see if we can get this working! Since I have the exploit on my Kali machine, I spin up a simple web server and download the source code of the exploit over to the target system using wget. Next, I compile the c file into an executable and run it. Let’s see what we get…